Issue metadata
Sign in to add a comment
|
Heap-use-after-free in SkPathRef::countVerbs |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5063957760180224 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 4 Crash Address: 0x60b000000488 Crash State: SkPathRef::countVerbs SkPath::isEmpty GrCCPRCoverageOpsBuilder::parsePath Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=509426:509661 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5063957760180224 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 18 2017
,
Oct 18 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 18 2017
,
Oct 18 2017
,
Oct 18 2017
,
Oct 19 2017
,
Oct 24 2017
For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md. The link referenced in the description is no longer valid.
,
Nov 7 2017
The following revision refers to this bug: https://skia.googlesource.com/skia/+/080baa44c50091d4e1a15550ded245c502a9ae3a commit 080baa44c50091d4e1a15550ded245c502a9ae3a Author: Chris Dalton <csmartdalton@google.com> Date: Tue Nov 07 01:56:37 2017 Fix dangling pointers when Ganesh culls CCPR Ops early BUG= chromium:775868 Change-Id: I0066e34fd8ebe4b46ad72481f5bb955dc0dd5910 Reviewed-on: https://skia-review.googlesource.com/67682 Commit-Queue: Chris Dalton <csmartdalton@google.com> Reviewed-by: Brian Salomon <bsalomon@google.com> [modify] https://crrev.com/080baa44c50091d4e1a15550ded245c502a9ae3a/tests/GrCCPRTest.cpp [modify] https://crrev.com/080baa44c50091d4e1a15550ded245c502a9ae3a/src/gpu/ccpr/GrCoverageCountingPathRenderer.h [modify] https://crrev.com/080baa44c50091d4e1a15550ded245c502a9ae3a/src/gpu/ccpr/GrCoverageCountingPathRenderer.cpp
,
Nov 7 2017
,
Nov 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4c9259938599dbc41ba3d965876e35c59f483476 commit 4c9259938599dbc41ba3d965876e35c59f483476 Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org> Date: Tue Nov 07 05:10:38 2017 Roll src/third_party/skia/ 61ffd53a9..b49d7b011 (5 commits) https://skia.googlesource.com/skia.git/+log/61ffd53a9065..b49d7b011878 $ git log 61ffd53a9..b49d7b011 --date=short --no-merges --format='%ad %ae %s' 2017-11-06 liyuqian This is a reland of 67340. This CL fixes the broken layout tests by preserving the containedInClip boolean. We will eventually remove it and rebaseline the layout tests. 2017-11-06 csmartdalton Fix dangling pointers when Ganesh culls CCPR Ops early 2017-11-06 bsalomon Make GrAtlasTextBlob return to caller when a flush is required during subrun tessellation. 2017-11-06 rmistry Add section for how to connect to Skia swarming bots 2017-11-06 csmartdalton Add clipping options to path text bench and samples Created with: roll-dep src/third_party/skia BUG= 775868 The AutoRoll server is located here: https://autoroll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel TBR=egdaniel@chromium.org Change-Id: I196d21665444bf771dad313b9639952e767545aa Reviewed-on: https://chromium-review.googlesource.com/756475 Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org> Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#514400} [modify] https://crrev.com/4c9259938599dbc41ba3d965876e35c59f483476/DEPS
,
Nov 7 2017
ClusterFuzz has detected this issue as fixed in range 514325:514357. Detailed report: https://clusterfuzz.com/testcase?key=5063957760180224 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 4 Crash Address: 0x60b000000488 Crash State: SkPathRef::countVerbs SkPath::isEmpty GrCCPRCoverageOpsBuilder::parsePath Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=509426:509661 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=514325:514357 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5063957760180224 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 7 2017
ClusterFuzz testcase 5063957760180224 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Nov 7 2017
,
Nov 27 2017
,
Feb 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Oct 18 2017Owner: csmartdalton@google.com
Status: Assigned (was: Untriaged)